Tuesday, September 7, 2010

The final module in the upcoming pentesting VoIP crashcourse is the most exciting one. In this section we look at VoIP systems as a whole. Unified communications is one of those words that have been hyped up to include everything, from chat to video phone calls and SMS. What we will look at in this section is how to go about breaking into the following during a penetration test:

Web application security flaws in Asterisk-based PBX servers

Attacking various services open in PBX servers, such as TFTP

How once you're on a PBX network, you can sometimes simply use your phone to spy on other phone calls

How to make use of hardware taps

Hardware phone features that can be abused

Abuse of various exposed features in Cisco call manager accessible on the HTTP server

This module will help familiarize the attendees with the target servers and system. Who knows, it may even give a kick-start to find some new 0-days in one of these Unified Communications solutions ;-)

We trust our phones with our sensitive data more than most other forms of communications. We may not trust sending our credit card number by email to the hotel. In the end we give it to them on the phone anyway, and it may not matter if the phone is a mobile phone or a VoIP phone.

Since VoIP phones look very much like traditional phones, most people are impressed to learn (the hard way) that they can be intercepted just like other devices and computers on the network. This is one of the topics covered in the third module. We will use readily available tools that will allow you to sniff phone calls over the network very easily. Tools include Wireshark, UCSniff and Cain and Abel.

These tools will handle RTP and codecs differently so we will see which ones are best for the job.

As a penetration tester, you will encounter setups that try to prevent ARP cache poisoning and other attacks that allow for media interception. During this training we will look at each of these solutions and look how they can be often defeated.

When it comes to media, interception is not the only concern. There are tools that perform RTP injection, i.e. modify the RTP stream on the fly, which can make an interesting demonstration. Then there's convert channels, where an insider embeds his/her data inside the RTP stream.

Most VoIP systems perform signaling using a protocol separate than the media transfer protocol. Signaling protocols allow VoIP systems to register, authenticate, and initiate phone calls and tends to carry a lot of intelligence with it. In this part of the training, Joffrey and myself will talk you through the following different signaling protocols and attacks that apply to these protocols:

SIP - an open standard

IAX2 - used by Asterisk PBX and compatible phones

SCCP (Skinny) - used by Cisco systems

MGCP - the media gateway control protocol, typically used between gateways and IVR systems

H.323 - found in gateways and older systems

The fun part? The exercises! We plan to use a hands-on approach rather than simply describe the protocols and attacks.

These are some of the practicals we have in store:

Sniffing SIP, in order to understand how it all works and also spy on the metadata or signal

Scanning SIP, to see how we can easily identify SIP devices very quickly using SIPVicious and other tools

SIP extension enumeration and online password cracking, to understand better how VoIP attackers are in fact making phone calls for free at the expense of their victims

Avoiding toll / fraudulent calls, featuring the main ways that attackers are abusing SIP PBX servers out there

INVITE floods, which is still an effective attack and bring down various SIP enabled devices

Fuzzing SIP, existent tools and their usage

Using John the ripper to crack SIP passwords, which also includes capturing the SIP authentication messages and patching John the ripper to crack the hash

Online and offline password cracking in IAX2, the tools and their usage

Scanning IAX2 which allows us to find Asterisk servers

MiTM attacks using SCCP proxy, which is a fun way of playing with the phones and can allow us to turn Cisco phones into remote spy bugs

Capture FAC (Forced Authorization Codes) code, which is a restriction usually used in Cisco VoIP environments to allow / block international calls

Call fraud with MGCP, since MGCP has little or no security

DoS on MGCP, or how to cause your VoIP Gateway to go down

RTP redirection, which can allow all sorts of fun (and sometimes profit)

Callmanager hijack (details later ;-))

With all these exercises we expect all the attendees to get really busy and gain useful experience with the signaling protocols.